Apparatus, system and method for secure direct communication in proximity based services

ABSTRACT

In order for effectively ensuring security for direct communication in ProSe, a ProSe Function acquires from a 3rd party root keys for each of UEs to derive a pair of session keys for securely conducting direct communication with different UEs, and distributes the acquired root keys to each of the UEs. Each of the UEs derives the session keys by using one of the distributed root keys. Moreover, a plurality of UEs, which form a communication system, and are allowed to conduct direct communication with each other when the UEs are in proximity to each other, share public keys of the UEs therebetween through a node which supports the direct communication upon successfully registering the UEs with the node. Each of the UEs verifies at least a request for the direct communication by using one of the public keys.

TECHNICAL FIELD

The present invention relates to an apparatus, a system and a method forProSe (Proximity based Services). In particular, this invention relatesto security for direct communication in ProSe, and considers networkauthorized direct communication. Moreover, this invention relates toproximity direct communication using PKI (Public-Key Infrastructure),and considers not only one-to-one direct communication, but alsoone-to-many direct communication.

BACKGROUND ART

Direct Communication has been studied by 3GPP (3rd GenerationPartnership Project) (see NPLs 1 and 2).

Key issue for direct communication is to secure an interface PC5. How tosecure the interface PC5 and how to establish security context(including for example, key derivation, allocation, update) from trustsource, with minimal signaling, are important matters.

Note that the interface PC5 is a reference point between UEs (more thanone article of User Equipment) such that the UEs can have directcommunication thereover. The interface PC5 is used for control and userplane for ProSe discovery, direct communication and UE relay. The UEdirect communication can be carried either directly or via LTE-Uu.

CITATION LIST Non Patent Literature

NPL 1: 3GPP TR 33.cde, “Study on security issues to support ProximityServices (Release 12)”, V0.2.0, 2013-07, Clauses 5.4, 5.5 and 6.3, pp.11, 12 and 13-20

NPL 2: 3GPP TR 23.703, “Study on architecture enhancements to supportProximity Services (ProSe) (Release 12)”, V0.4.1, 2013-06, Clauses 5.4,5.12 and 6.2, pp. 13, 17, 18 and 62-82

SUMMARY OF INVENTION Technical Problem

However, the inventors of this application have found that the currentsolution in 3GPP SA3 (Security working group) has the followingdrawbacks.

1) Impact to MME (Mobility Management Entity): it needs MME beinginvolved in the direct communication procedure including key materialallocation.

2) The key allocation procedure happens each time when the UE wants tohave direct communication with another UE, which not only createssignaling but also when concurrent one-to-one communication happens.Therefore, the solution is not efficient.

Accordingly, an exemplary object of the present invention is to providea solution for effectively ensuring security for direct communication inProSe.

Solution to Problem

In order to achieve the above-mentioned object, a UE according to firstexemplary aspect of the present invention includes: acquisition meansfor acquiring root keys from a node upon successfully registering the UEwith the node, the node supporting direct communication between the UEand one or more different UEs that are in proximity to the UE andallowed to communicate with the UE; and derivation means for deriving,by use of one of the root keys, a pair of session keys for securelyconducting direct communication with one of the different UEs.

Further, a node according to second exemplary aspect of the presentinvention supports direct communication between UEs being in proximityto each other and allowed to communicate with each other. This nodeincludes: acquisition means for acquiring root keys from a server uponsuccessfully registering one of the UEs with the node, the root keysbeing used for said one of the UEs to derive a pair of session keys forsecurely conducting direct communication with at least another one ofthe UEs, the server managing the root keys; and distribution means fordistributing the root keys to said one of the UEs.

Further, a server according to third exemplary aspect of the presentinvention includes: storage means for storing root keys for each of UEsto derive a pair of session keys for securely conducting directcommunication with at least another one of the UEs, the UEs being inproximity to each other and allowed to communicate with each other; andresponse means for responding to a request from a node with sending theroot keys to the node, the node supporting direct communication betweenthe UEs.

Further, a communication system according to fourth exemplary aspect ofthe present invention includes: a plurality of UEs that are in proximityto each other and allowed to conduct direct communication with eachother; a node that supports the direct communication; and a server thatmanages root keys for each of UEs to derive a pair of session keys forsecurely conducting direct communication with at least another one ofthe UEs. The node acquires the root keys from the server uponsuccessfully registering each of the UEs with the node, and distributesthe acquired root keys to each of the UEs. Each of the UEs derives thesession keys by using one of the distributed root keys.

Further, a method according to fifth exemplary aspect of the presentinvention provides a method of controlling operations in a UE. Thismethod includes: acquiring root keys from a node upon successfullyregistering the UE with the node, the node supporting directcommunication between the UE and one or more different UEs that are inproximity to the UE and allowed to communicate with the UE; andderiving, by use of one of the root keys, a pair of session keys forsecurely conducting direct communication with one of the different UEs.

Further, a method according to sixth exemplary aspect of the presentinvention provides a method of controlling operations in a node thatsupports direct communication between UEs being in proximity to eachother and allowed to communicate with each other. This method includes:acquiring root keys from a server upon successfully registering one ofthe UEs with the node, the root keys being used for said one of the UEsto derive a pair of session keys for securely conducting directcommunication with at least another one of the UEs, the server managingthe root keys; and distributing the root keys to said one of the UEs.

Further, a method according to seventh exemplary aspect of the presentinvention provides a method of controlling operations in a server. Thismethod includes: storing root keys for each of UEs to derive a pair ofsession key for securely conducting direct communication with at leastanother one of the UEs, the UEs being in proximity to each other andallowed to communicate with each other; and responding to a request froma node with sending the root keys to the node, the node supportingdirect communication between the UEs.

Further, a UE according to eighth exemplary aspect of the presentinvention includes: first means for registering a public key of the UEupon successfully registering the UE with a node, and for retrievingpublic keys of one or more different UEs, the different UEs beingallowed to conduct direct communication with the UE when the differentUEs are in proximity to the UE, the node supporting the directcommunication; and second means for verifying, by using a public key ofa first UE among the different UEs, a request from the first UE toconduct direct communication with the UE, the request being protectedwith a private key of the first UE.

Further, a UE according to ninth exemplary aspect of the presentinvention includes: first means for registering a public key of the UEupon successfully registering the UE with a node, and for retrievingpublic keys of one or more different UEs, the different UEs beingallowed to conduct direct communication with the UE when the differentUEs are in proximity to the UE, the node supporting the directcommunication; and second means for verifying, by using a public key ofa first UE among the different UEs, a response to a protected firstrequest for requesting the first UE to conduct one-to-one directcommunication with the UE, the response being protected with a privatekey of the first UE.

Further, a node according to tenth exemplary aspect of the presentinvention supports direct communication between UEs in proximity to eachother and allowed to communicate with each other. This node includes:reception means for receiving, upon successfully registering one of theUEs with the node, a public key from said one of the UEs; andtransmission means for transmitting, to said one of the UE, public keysof the other UEs as a response to the successful registration. Thepublic keys are used for each of the UEs to verify at least a requestfor the direct communication.

Further, a server according to eleventh exemplary aspect of the presentinvention includes: storage means for storing public keys of UEs thatare allowed to conduct direct communication with each other when the UEsare in proximity to each other, the public keys being registered by anode that supports the direct communication; and response means forresponding to a request from the node with sending the stored publickeys to the node. The public keys are used for each of the UEs to verifyat least a request for the direct communication.

Further, a communication system according to twelfth exemplary aspect ofthe present invention includes: a plurality of UEs that are allowed toconduct direct communication with each other when the UEs are inproximity to each other; and a node that supports the directcommunication. Each of the UEs shares public keys of the UEs through thenode upon successfully registering each of the UEs with the node, andverifies at least a request for the direct communication by using one ofthe public keys. The node receives each of the public keys from each ofthe UEs upon registering each of the UEs with the node, and transmits,to each of the UEs, the public keys of different UEs as a response tothe successful registration.

Further, a method according to thirteenth exemplary aspect of thepresent invention provides a method of controlling operations in a UE.This method includes: registering a public key of the UE uponsuccessfully registering the UE with a node, and retrieving public keysof one or more different UEs, the different UEs being allowed to conductdirect communication with the UE when the different UEs are in proximityto the UE, the node supporting the direct communication; and verifying,by using a public key of a first UE among the different UEs, a requestfrom the first UE to conduct direct communication with the UE, therequest being protected with a private key of the first UE.

Further, a method according to fourteenth exemplary aspect of thepresent invention provides a method of controlling operations in a UE.This method includes: registering a public key of the UE uponsuccessfully registering the UE with a node, and retrieving public keysof one or more different UEs, the different UEs being allowed to conductdirect communication with the UE when the different UEs are in proximityto the UE, the node supporting the direct communication; and verifying,by using a public key of a first UE among the different UEs, a responseto a protected request for requesting the first UE to conduct one-to-onedirect communication with the UE, the response being protected with aprivate key of the first UE.

Further, a method according to fifteenth exemplary aspect of the presentinvention provides a method of controlling a node that supports directcommunication between UEs in proximity to each other and allowed tocommunicate with each other. This method including: receiving, uponsuccessfully registering one of the UEs with the node, a public key fromsaid one of the UEs; and transmitting, to said one of the UE, publickeys of the other UEs as a response to the successful registration. Thepublic keys are used for each of the UEs to verify at least a requestfor the direct communication.

Furthermore, a method according to sixteenth exemplary aspect of thepresent invention provides a method of controlling operations in aserver. This method includes: storing public keys of UEs that areallowed to conduct direct communication with each other when the UEs arein proximity to each other, the public keys being registered by a nodethat supports the direct communication; and responding to a request fromthe node with sending the stored public keys to the node. The publickeys are used for each of the UEs to verify at least a request for thedirect communication.

Advantageous Effects of Invention

According to the present invention, it is possible to solve theabove-mentioned problems, and thus to provide a solution for effectivelyensuring security for direct communication in ProSe.

For example, according to any one of first to seventh exemplary aspects,it is possible to achieve the following advantageous effects.

1) Central root key management, prevent synchronization problem.

2) Reduce root allocation when each time UE needs direct communicationservice.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a block diagram showing a configuration example of acommunication system according to a first exemplary embodiment of thepresent invention.

FIG. 2 is a sequence diagram showing an example of operations forallocating root keys in the communication system according to the firstexemplary embodiment.

FIG. 3 is a sequence diagram showing another example of operations forallocating root keys in the communication system according to the firstexemplary embodiment.

FIG. 4 is a sequence diagram showing an example of operations forderiving a session key in the communication system according to the efirst exemplary embodiment.

FIG. 5 is a sequence diagram showing another example of operations forderiving a session key in the communication system according to thefirst exemplary embodiment.

FIG. 6 is a block diagram showing a configuration example of a UEaccording to the first exemplary embodiment.

FIG. 7 is a block diagram showing a configuration example of a nodeaccording to the first exemplary embodiment.

FIG. 8 is a block diagram showing a configuration example of a serveraccording to the first exemplary embodiment.

FIG. 9 is a block diagram showing a configuration example of acommunication system according to a second exemplary embodiment of thepresent invention.

FIG. 10 is a sequence diagram showing an example of operations forregistering UEs in the communication system according to the secondexemplary embodiment.

FIG. 11 is a sequence diagram showing an example of operations forderiving a session key for one-to-one direct communication in thecommunication system according to the second exemplary embodiment.

FIG. 12 is a sequence diagram showing an example of operations forderiving a session key for one-to-many direct communication in thecommunication system according to the second exemplary embodiment.

FIG. 13 is a block diagram showing a configuration example of a UEaccording to the second exemplary embodiment.

FIG. 14 is a block diagram showing a configuration example of a nodeaccording to the second exemplary embodiment.

FIG. 15 is a block diagram showing a configuration example of a serveraccording to the second exemplary embodiment.

DESCRIPTION OF EMBODIMENTS

Hereinafter, first and second exemplary embodiments of a UE, a node anda server according to the present invention, and a communication systemto which these UE, node and server are applied, will be described withthe accompany drawings.

First Exemplary Embodiment

FIG. 1 shows a configuration example of a communication system forproximity service. Proximity service provides operator networkcontrolled discovery and communications between UEs that are inproximity, for both commercial/social use and public safety use. It isrequired that the ProSe service should be provided to UEs with orwithout network coverage.

As shown in FIG. 1, the communication system according to this exemplaryembodiment includes a plurality of UEs 10_1 to 10_m (hereinafter may becollectively referred to by a code 10), one or more ProSe Functions 20_1to 20_n (hereinafter may be collectively referred to by a code 20), anE-UTRAN (Evolved Universal Terrestrial Radio Access Network) 30, an EPC(Evolved Packet Core) 40, and a ProSe APP (Application) Server 50.

The UE 10 attaches to the EPC 40 thorough the E-UTRAN 30 (i.e., throughinterfaces LTE-Uu and S1), thereby functioning as a typical UE.Moreover, the UE 10 uses the above-mentioned interface PC5, therebyconducting ProSe communication. Prior to the ProSe communication, the UE10 is registered with the ProSe Function 20. Note that the UEs 10_1 to10_m may be registered with the same ProSe Function or mutuallydifferent ProSe Functions. Moreover, some of the UEs 10_1 to 10_m may beregistered with the same ProSe Function.

The ProSe Function 20 is a node which supports the ProSe communicationbetween the UEs 10_1 to 10_m. The ProSe Function 20 can either bedeployed in a certain network node or be an independent node, and mayreside in or out of the EPC 40. The ProSe Function 20 communicates withthe UE 10 through an interface PC3. Further, the ProSe Function 20communicates with the EPC 40 through an interface PC4. Furthermore, theProSe Functions 20_1 to 20_n can communicate with each other through aninterface PC6.

Note that the interface PC3 is a reference point between the UE 10 andthe ProSe Function 20. The interface PC3 is used to define theinteraction between the UE 10 and the ProSe Function 20. An example maybe to use for configuration for Prose discovery and communication.Further, the interface PC4 is a reference point between the EPC 40 andthe ProSe Function 20. The interface PC4 is used to define theinteraction between the EPC 40 and the ProSe Function 20. Possible usecases may be when setting up a one-to-one communication path between theUEs 10_1 to 10_m, or when validating ProSe services (authorization) forsession management or mobility management in real time. Furthermore, theinterface PC6 is a reference point between the ProSe Functions 20_1 to20_n. The interface PC6 may be used for functions such as ProSediscovery between users subscribed to different PLMNs (Public LandMobile Networks).

The E-UTRAN 30 is formed by one or more eNBs (evolved Node Bs) (notshown). The EPC 40 includes, as its network nodes, an MME (MobilityManagement Entity) which manages mobility of the UEs 10_1 to 10_m, andthe like. The ProSe APP Server 50 can communicate with the EPC 40through an interface SGi. Moreover, the ProSe APP Server 50 cancommunicate with the UE 10 through an interface PC1, and can communicatewith the ProSe Function 20 through an interface PC2. Note that theinterface PC1 is a reference point between ProSe APPs in the UEs 10_1 to10_m and the ProSe APP Server 50. The interface PC1 is used to defineapplication level signaling requirements. On the other hand, theinterface PC2 is a reference point between the ProSe Function 20 and theProSe APP Server 50. The interface PC2 is used to define the interactionbetween the ProSe APP Server 50 and ProSe functionality provided by the3GPP EPS (Evolved Packet System) via the ProSe Function 20. One examplemay be for application data updates for a ProSe database in the ProSeFunction 20. Another example may be data for use by the ProSe App Server50 in interworking between 3GPP functionality and application data, e.g.name translation. The ProSe APP Server 50 may reside in or out of theEPC 40.

Although the illustration is omitted, the communication system alsoincludes a server operated by a trust third party. In the followingdescription, this server will be sometimes simply referred to as “third(3rd) party” and referred to by a code 60. Typically, the 3rd party 60manages root keys which will be described later.

Next, operation examples of this exemplary embodiment will be describedin detail with reference to FIGS. 2 to 5. Note that configurationexamples of the UE 10, the ProSe Function 20 and the 3rd party 60 willbe described later with reference to FIGS. 6 and 8.

This exemplary embodiment proposes to use the third party 60 to derive,update and allocate root keys. The ProSe Function 20 supports directcommunication and allocates all the root keys to the UE 10 at itsregistration. Session key are derived at the UE 10 side by using theroot key. For example, the session key is a pair of confidentiality andintegrity keys for protecting messages directly transferred between theUEs 10_1 to 10_m.

<Operations for Allocating Root Key>

There are proposed two options for root key allocation.

Option 1: Root Key is Related to a Given UE

Root key is derived/allocated at registration. Assume that the ProSeFunction 20 has a list of UEs with which the UE 10_1 is allowed tocommunicate, and that the ProSe Function 20 can ask for all the rootkeys for the UE 10_1 from the trust 3rd party 60. The 3rd party 60 isresponsible for key derivation and allocation. The ProSe Functions 20_1to 20_n can retrieve root keys from the 3rd party 60 for the UEs 10_1 to10_m registered to them such that no synchronization is needed betweenthe ProSe Functions 20_1 to 20_n. Each root key is identified by aunique KSI (Key Set Identifier). When direct communication happens, theProSe Function 20 can indicate to the UEs 10_1 to 10_m which KSI to use,or the UEs 10_1 to 10_m can negotiate about it.

Specifically, as shown in FIG. 2, the UE 10_1 registers at the ProSeFunction 20_1 (step S11).

The ProSe Function 20_1 sends Request root keys for the UE 10_1 to thethird party 60 which manages the root key (step S12).

The third party 60 responds the ProSe Function 20_1 with the root keysfor the UE 10_1. Each root key is related to a unique KSI and a UE withwhich the UE 10_1 is allowed to have ProSe service (step S13).

The ProSe Function 20_1 distributes the root keys to the UE 10_1,including the UE ID and KSI (step S14).

The same procedure as steps S11 to S14 is performed between the UE 10_2and the ProSe Function 20_2 (steps S15 to S18).

Option 2: Root Key Pool

Similar to the Option 1, UEs can obtain a key pool, in which each keyhas a unique KSI to identify it. When the UE 10_1 needs session key fordirect communication, network (Prose Function) can indicate which key touse, and also give a same parameter to the UE 10_1 and the UE 10_2 suchthat they can derive same session keys.

The difference compared to the Option 1 is that here the root keys arenot related to any UE. Thus, the ProSe Function 20 needs to ensure thatthe same root key will not be re-used for different UEs.

Specifically, as shown in FIG. 3, the UE 10_1 registers at the ProSeFunction 20_1 (step S21).

The ProSe Function 20_1 sends Request root keys for the UE 10_1 to thethird party 60 which manages the root key (step S22).

The third party 60 responds the ProSe Function 20_1 with a root key poolcontain a bunch of root keys. Each key is related to a unique KSI (stepS23).

The ProSe Function 20_1 distributes the root keys to the UE 10_1 withthe KSIs (step S24).

The same procedure as steps S21 to S24 is performed between the UE 10_2and the ProSe Function 20_2 (steps S25 to S28).

According to this Option 2, it is possible to reduce the amount ofsignaling to the UE compared with the Option 1. This is because the rootkeys are not related to any UE, and thus the number of root keystransmitted to the UE can be smaller than that in the Option 1.Moreover, it is also possible to reduce resources in the UE for storingthe root keys.

In contrast, according to the Option 1, it is possible to reduce load onthe ProSe Function compared with the Option 2. This is because the rootkeys are allocated to the UEs in a one-to-one manner, and thus the ProSeFunction does not need to ensure that the same root key will not bere-used for different UEs.

<Operations for Deriving Session Key>

There are proposed two options for session key derivation andallocation.

Option 1: UE Autonomously Derives Session Key

The UE 10_1 one which initiates direct communication, simply derives asession key, sends it to the ProSe Function, and the ProSe Function willsend it to the other UEs.

Alternatively, as shown in FIG. 4, the UE 10_1 send Direct Communicationrequest to the UE 10_2 (step S31).

In the case where the each root key is related to a given UE as shown inFIG. 2, the UEs 10_1 and 10_2 can identify the same root key to be usedfor deriving a session key, without receiving any instruction fromnetwork. Therefore, the UEs 10_1 and 10_2 derive the session key fromthe identified root key, separately (step S32).

Then, the UE 10_1 and UE 10_2 start direct communication with securityprotection by using the session key (step S33).

Option 2: UE Derives Session Key in Accordance with KSI Indicated byProSe Function

This option is suitable for the case where the root key pool isallocated as shown in FIG. 3.

As shown in FIG. 5, the UE 10_1 sends Direct Communication request withan ID of the UE 10_2 (UE with which the UE 10_1 wants to have directcommunication service) to the ProSe Function 20_1 (step S41).

The ProSe Function 20_1 performs authorization for whether the UE 10_1is allowed to have direct communication with the UE 10_2 (step S42).

Upon a successful authorization, the ProSe Function 20_1 indicates tothe UE 10_1 a root key KSI (step S43).

Further, the ProSe Function 20_1 indicates to the UE 10_2 the root keyKSI via the ProSe Function 20_2 (step S44).

The UE 10_1 and the UE 10_2 derives a session key from the root keyindicated by the KSI, separately (step S45).

Then, the UE 10_1 and the UE 10_2 start direct communication withsecurity protection by using the session key (step S46).

Next, configuration examples of the UE 10, the ProSe Function (node) 20and the 3rd party (server) 60 according to this exemplary embodimentwill be described with reference to FIGS. 6 to 8.

As show in FIG. 6, the UE 10 includes an acquisition unit 11 and aderivation unit 12. The acquisition unit 11 acquires the root keys fromthe ProSe Function 20, upon successfully registering the UE 10 with theProSe Function 20. The derivation unit 12 drives the session keys byusing the acquired root key. In the case where each root key is relatedto a given UE as shown in FIG. 2, the derivation unit 12 uses a root keycorresponding to a UE with which the UE 10 desires to conduct directcommunication, upon deriving the session keys. On the other hand, in thecase where the root key pool is allocated as shown in FIG. 3, thederivation unit 12 uses a root key which is indicated by the KSIreceived from the ProSe Function 20. Note that these units 11 and 12 aremutually connected with each other through a bus or the like. Theseunits 11 and 12 can be configured by, for example, a transceiver whichconducts direct communication with different UEs through the interfacePC5, a transceiver which conducts communication with the ProSe Function20 through the interface PC3, and a controller such as a CPU (CentralProcessing Unit) which controls these transceivers.

As show in FIG. 7, the ProSe Function 20 includes an acquisition unit 21and a distribution unit 22. The acquisition unit 21 acquires the rootkeys from the 3rd party 60, upon successfully registering the UE 10 withthe ProSe Function 20. The distribution unit 22 distributes the acquiredroot keys to the UE 10. In the case where the root key pool is allocatedas shown in FIG. 3, the ProSe Function 20 further includes an indicationunit 23. The indication unit 23 indicates to the UE 10 the KSI of theroot key to be used by the UE 10. Note that these units 21 to 23 aremutually connected with each other through a bus or the like. Theseunits 21 to 23 can be configured by, for example, a transceiver whichconducts communication with the UE 10 through the interface PC3, and acontroller such as a CPU which controls this transceiver.

As shown in FIG. 8, the 3rd party 60 includes a storage unit 61 and aresponse unit 62. The storage unit 61 stores the root keys. The responseunit 62 responds to the request from the ProSe Function 20 with sendingthe root keys to the ProSe Function 20. Note that these units 61 and 62are mutually connected with each other through a bus or the like. Theseunits 61 and 62 can be configured by, for example, a transceiver whichconducts communication with the ProSe Function 20, and a controller suchas a CPU which controls this transceiver.

Second Exemplary Embodiment

FIG. 9 shows a configuration example of a communication system forproximity service. Proximity service provides operator networkcontrolled discovery and communications between UEs that are inproximity, for both commercial/social use and public safety use. It isrequired that the ProSe service should be provided to UEs with orwithout network coverage.

As shown in FIG. 9, the communication system according to this exemplaryembodiment includes a plurality of UEs 110_1 to 110_m (hereinafter maybe collectively referred to by a code 110), one or more ProSe Functions120_1 to 120_n (hereinafter may be collectively referred to by a code120), an E-UTRAN (Evolved Universal Terrestrial Radio Access Network)130, an EPC (Evolved Packet Core) 140, and a ProSe APP (Application)Server 150.

The UE 110 attaches to the EPC 140 thorough the E-UTRAN 130 (i.e.,through interfaces LTE-Uu and S1), thereby functioning as a typical UE.Moreover, the UE 110 uses the above-mentioned interface PC5, therebyconducting ProSe communication. Prior to the ProSe communication, the UE110 is registered with the ProSe Function 120. Note that the UEs 110_1to 110_m may be registered with the same ProSe Function or mutuallydifferent ProSe Functions. Moreover, some of the UEs 110_1 to 110_m maybe registered with the same ProSe Function.

The ProSe Function 120 is a node which supports the ProSe communicationbetween the UEs 110_1 to 110_m. The ProSe Function 120 can be eitherdeployed in a certain network node or be an independent node, and mayreside in or out of the EPC 140. The ProSe Function 120 communicateswith the UE 110 through an interface PC3. Further, the ProSe Function120 communicates with the EPC 140 through an interface PC4. Furthermore,the ProSe Functions 120_1 to 120_n can communicate with each otherthrough an interface PC6.

Note that the interface PC3 is a reference point between the UE 110 andthe ProSe Function 120. The interface PC3 is used to define theinteraction between the UE 110 and the ProSe Function 120. An examplemay be to use for configuration for Prose discovery and communication.Further, the interface PC4 is a reference point between the EPC 140 andthe ProSe Function 120. The interface PC4 is used to define theinteraction between the EPC 140 and the ProSe Function 120. Possible usecases may be when setting up a one-to-one communication path between theUEs 110_1 to 110_m, or when validating ProSe services (authorization)for session management or mobility management in real time. Furthermore,the interface PC6 is a reference point between the ProSe Functions 120_1to 120_n. The interface PC6 may be used for functions such as ProSediscovery between users subscribed to different PLMNs (Public LandMobile Networks).

The E-UTRAN 130 is formed by one or more eNBs (not shown). The EPC 140includes, as its network nodes, an MME (Mobility Management Entity)which manages mobility of the UEs 110_1 to 110_m, and the like. TheProSe APP Server 150 can communicate with the EPC 140 through aninterface SGi. Moreover, the ProSe APP Server 150 can communicate withthe UE 110 through an interface PC1, and can communicate with the ProSeFunction 120 through an interface PC2. Note that the interface PC1 is areference point between ProSe APPs in the UEs 110_1 to 110_m and theProSe APP Server 150. The interface PC1 is used to define applicationlevel signaling requirements. On the other hand, the interface PC2 is areference point between the ProSe Function 120 and the ProSe APP Server150. The interface PC2 is used to define the interaction between theProSe APP Server 150 and ProSe functionality provided by the 3GPP EPS(Evolved Packet System) via the ProSe Function 120. One example may befor application data updates for a ProSe database in the ProSe Function120. Another example may be data for use by the ProSe App Server 150 ininterworking between 3GPP functionality and application data, e.g. nametranslation. The ProSe APP Server 150 may reside in or out of the EPC140.

Although the illustration is omitted, the communication system alsoincludes a server operated by a trust third party. In the followingdescription, this server will be sometimes simply referred to as “third(3rd) party” and referred to by a code 160. Typically, the 3rd party 160manages public keys which will be described later.

Next, operation examples of this exemplary embodiment will be describedin detail with reference to FIGS. 10 to 12. Note that configurationexamples of the UE 110, the ProSe Function 120 and the 3rd party 160will be described later with reference to FIGS. 13 to 15.

This exemplary embodiment proposes to use PKI for direct communication.The UEs 110_1 to 110_m can register their public keys at registrationprocedure and meanwhile obtain other UEs public keys. The ProSe Function120 ensures that the UE 110 is only provided with the public keys of UEswith which the request UE 110 is allowed to have direct communication.The UEs 110_1 to 110_m use the public key to verify the other end suchthat they can derive session key to start direct communication. Forexample, the session key is a pair of confidentiality and integrity keysfor protecting messages directly transferred between the UEs 110_1 to110_m.

The following gives options for key derivation.

1. Use PM for One-to-One Direct Communication:

The UEs 110_1 to 110_m provide their public key at registration andreceive other UEs public keys at a successful registration. For example,the UE 110_1 protects Direct Communication Request with its private key.The UE 110_2, which has received the Direct Communication Request, canverify it with UE1's public key. The UE 110_2 can send material forsession key derivation to the UE 110_1 and they can derive the same keyfor protection their direct communication. The UE 110_1 can verify themessage sent from the UE 110_2 with UE2's public key, thus they can bemutually authenticated.

The session key derivation can:

1) use a root key which is preliminarily acquired from Prose Function asan input with a key material provided by one of the UE to keepfreshness; and

2) also use key exchange scheme (e.g. Diffie-Hellman key exchangescheme) to compute and share a secret key.

Specifically, as shown in FIG. 10, the UE 110_1 registers its public keyduring registration to the ProSe Function 120_1 (step S111).

The Prose Function 120_1 registers the public key of the UE 110_1 in thethird party 160 (step S112).

The third party 160 sends to the Prose Function 120_1 an allowed list.The allowed list contains IDs of UEs with which the UE 110_1 is allowedto have direct communication, and the related public keys of those UEs(step S113).

The Prose Function 120_1 forwards the allowed list to the UE 110_1 (stepS114).

The same procedure as steps S111 to S114 is performed for the UE 110_2(steps S115 to S118).

When the Direction communication starts, as shown in FIG. 11, the UE110_1 sends Direct Communication Request to the Prose Function 120_1,with the ID of the UE 110_2, a public key KSI of the UE 110_1. Themessage can be protected with a private key of the UE 110_1. The messageis forwarded to the Prose Function 120_2 by the Prose Function 120_1(step S121).

Note that the use of KSI is suitable for a case where a plurality ofpublic keys are allocated to the UE 110_1. The UE 110_2 can refer to theKSI to identify one of the public keys corresponding to the private keyused by the UE 110_1.

The Prose Function 120_1 performs authorization on whether the UE 110_1can have direct communication service with the UE 110_2, with ProseFunction 120_2 support (step S122).

Upon successful authorization, the Prose Function 120_2 forwards theDirect Communication Request to the UE 110_2 (step S123).

Note that if direct communication happens when UE are out of coverage,the Direct Communication Request goes directly from the UE 110_1 to theUE 110_2, and the above step S122 is omitted.

The UE 110_2 can perform integrity check on the message with the publickey of the UE 110_1 (step S124).

Upon succeeding in the integrity check, the UE 110_2 derives sessionkey, as described above (step S125).

The UE 110_2 sends Direct Communication Response to the UE 110_1 withmaterials for session key derivation. Alternatively, the UE 110_2includes the derived session key in the Direct Communication Response.The message is protected with a private key of the UE 110_2 (step S126).

The UE 110_1 performs integrity check of the message with the public keyof the UE 110_2 (step S127).

Upon succeeding in the integrity check, the UE 110_1 derives session keyfrom the material (step S128). This step S128 is skipped if the UE 110_1has received the session key from the UE 110_2 at step S126.Alternatively, the UE 110_1 extracts the session key from the DirectCommunication Response by using the public key of the UE 110_2.

After that, Direct communication starts with security protection by thesession key that the UE 110_1 and the UE 110_2 share (step S129).

2. Use PKI for One-to-Many Direct Communication:

The registration procedure is the same with that shown in FIG. 10.

The UE 110_1 protects Direct Communication Request with its private key.Other UEs (e.g. UE 110_2, UE 110_3) can verify it with UE1's public key.

Meanwhile, in this option, the UE 110_1 derives the session key forone-to-many direct communication, and sends the session key to the ProSeFunction 120 along with the Direct Communication Request over securedinterface PC3. The ProSe Function 120 sends the session key to the UE110_2 and the UE 110_3. If the UE 110_2 or the UE 110_3 has registeredwith different ProSe Function, UE 110_1's ProSe Function will forwardthe session key to UE 110_2/110_3's serving ProSe Function. The sessionkey derivation can use UE 110_1's private key or any LTE (Long TermEvolution) key as input.

Specifically, as shown in FIG. 12, the UE 110_1 derives a session keyfor direct communication (step S131).

The UE 110_1 sends Direct Communication Request to the Prose Function120_1, which can be forward to ProSe Functions which serves target UEs(e.g. ProSe Function 20_2, and UEs 110_2 and 110_3). The messagecontains target UE IDs and UE 110_1's public key KSI, which areprotected with UE 110_1's private key. The UE 110_1 also includes thesession key in the message (step S132).

The ProSe Functions 120_1 and 120_2 perform authorization on whether theUE 110_1 can have one-to-many direct communication with the target UEs110_2 and 110_3 (step S133).

The ProSe Function 120_2 forwards the Direct communication Request tothe UEs 110_2 and 110_3 (step S134).

Each of the UEs 110_2 and 110_3 performs integrity check on the messagewith UE 110_1's public key (step S135).

Each of the UEs 110_2 and 110_3 sends the Direct Communication Responseto the UE 110_1, protected with the session key it received (step S136).After that, direct communication starts with security protection by thesession key that the UEs 110_1 to 110_3 share.

3. Use PM One-to-Many Direction Communication without Using Session Key:

Considering a case where the one-to-many communication is one way onlyfrom the UE1 to others, the UE 110_1 simply protects the DirectCommunication with its private key to other UEs. The other UEs who areauthorized to receive the message from the UE 110_1 can get the UE110_1′public key and therefore verify that the message is sent from theUE 110_1 and read it. The network (e.g. ProSe Function) should make surethat unauthorized UEs will not get UE 110_1′public key, and the publickey should not be sent to other UEs.

Thus, it can prevent non-members from listening to ProSe GroupCommunication transmissions (as requested in NPL 2, Clause 5.12).

4. Use PM for One-to-Many-Public Key as Input:

The UEs 110_1 to 110_m derive session key, and input for key derivationis: 1) UE 110_1′public key; 2) a key derivation material received fromthe ProSe Function 120. Requires the UE 110_1′public key and keyderivation material are only provided to the authorized UEs.

How can the UE 110_1 have the same session key:

a) the UE 110_1 keeps the public key and receives key derivationmaterial from the ProSe Function 120, such that it can derive thesession in the same session key;

b) the ProSe Function 120 can derive the key since it knows both UE110_1′public key and key derivation material;

c) the ProSe Function 120 provides a key derivation material which UE110_1 can use it with its private key to derive the same session key.

This requires that key derivation materials to the UE 110_1 and otherUEs have some relation.

Next, configuration examples of the UE 110, the ProSe Function (node)120 and the 3rd party (server) 160 according to this exemplaryembodiment will be described with reference to FIGS. 13 to 15.

As show in FIG. 13, the UE 110 includes a registration/retrieval unit111 and a verification unit 112. The registration/retrieval unit 111performs the processes shown in FIG. 10 or processes equivalent thereto.The verification unit 112 performs the processes shown in FIGS. 11 and12, or processes equivalent thereto. Note that these units 111 and 112are mutually connected with each other through a bus or the like. Theseunits 111 and 112 can be configured by, for example, a transceiver whichconducts direct communication with different UEs through the interfacePC5, a transceiver which conducts communication with the ProSe Function120 through the interface PC3, and a controller such as a CPU (CentralProcessing Unit) which controls these transceivers.

As show in FIG. 14, the ProSe Function 120 includes at least a receptionunit 121 and a transmission unit 122. The reception unit 121 performsthe processes shown at steps S111 and S115 in FIG. 10, or processesequivalent thereto. The transmission unit 122 performs the processesshown at steps S114 and S118 in FIG. 10, or processes equivalentthereto. Moreover, the ProSe Function 120 can also include aregistration unit 123 and an acquisition unit 124. The registration unit123 performs the processes shown at steps S112 and S116 in FIG. 10, orprocesses equivalent thereto. The acquisition unit 124 performs theprocesses shown at steps S113 and S117 in FIG. 10, or equivalentthereto. Note that these units 121 to 124 are mutually connected witheach other through a bus or the like. These units 121 to 124 can beconfigured by, for example, a transceiver which conducts communicationwith the UE 110 through the interface PC3, a transceiver which conductscommunication with the 3rd party 160, and a controller such as a CPUwhich controls these transceivers.

As shown in FIG. 15, the 3rd party 160 includes a storage unit 161 and aresponse unit 162. The storage unit 161 stores the root keys registeredby the ProSe Function 120. The response unit 162 responds to the requestfrom the ProSe Function 120 with sending the stored public keys to theProSe Function 120. Note that these units 161 and 162 are mutuallyconnected with each other through a bus or the like. These units 161 and162 can be configured by, for example, a transceiver which conductscommunication with the ProSe Function 120, and a controller such as aCPU which controls this transceiver.

Note that the present invention is not limited to the above-mentionedexemplary embodiments, and it is obvious that various modifications canbe made by those of ordinary skill in the art based on the recitation ofthe claims.

The whole or part of the exemplary embodiments disclosed above can bedescribed as, but not limited to, the following supplementary notes.

(Supplementary Note 1)

A UE (User Equipment) comprising:

acquisition means for acquiring root keys from a node upon successfullyregistering the UE with the node, the node supporting directcommunication between the UE and one or more different UEs that are inproximity to the UE and allowed to communicate with the UE; and

derivation means for deriving, by use of one of the root keys, a pair ofsession keys for securely conducting direct communication with one ofthe different UEs.

(Supplementary Note 2)

The UE according to Supplementary note 1,

wherein the root keys are correlated with the different UEs in aone-to-one manner,

wherein the derivation means is configured to use, when deriving thesession keys, a root key corresponding to said one of the different UEs.

(Supplementary Note 3)

The UE according to Supplementary note 1,

wherein the root keys are a bunch of keys that are not correlated withgiven UEs,

wherein the derivation means is configured to use, when deriving thesession keys, a root key indicated by the node.

(Supplementary Note 4)

The UE according to any one of Supplementary notes 1 to 3, wherein thedirect communication comprises ProSe (Proximity based Services)communication.

(Supplementary Note 5)

A node that supports direct communication between UEs being in proximityto each other and allowed to communicate with each other, the nodecomprising:

acquisition means for acquiring root keys from a server uponsuccessfully registering one of the UEs with the node, the root keysbeing used for said one of the UEs to derive a pair of session keys forsecurely conducting direct communication with at least another one ofthe UEs, the server managing the root keys; and

distribution means for distributing the root keys to said one of theUEs.

(Supplementary Note 6)

The node according to Supplementary note 5, wherein the root keys arecorrelated with mutually different UEs in a one-to-one manner.

(Supplementary Note 7)

The node according to Supplementary note 5, further comprising:

indication means for indicating to said one of the UE which root key isto be used for deriving the session keys, when the root keys are a bunchof keys that are not correlated with given UEs.

(Supplementary Note 8)

The node according to any one of Supplementary notes 4 to 7, wherein thedirect communication comprises ProSe communication.

(Supplementary Note 9)

A server comprising:

storage means for storing root keys for each of UEs to derive a pair ofsession keys for securely conducting direct communication with at leastanother one of the UEs, the UEs being in proximity to each other andallowed to communicate with each other; and

response means for responding to a request from a node with sending theroot keys to the node, the node supporting direct communication betweenthe UEs.

(Supplementary Note 10)

The server according to Supplementary note 9, wherein the root keys arecorrelated with mutually different UEs in a one-to-one manner.

(Supplementary Note 11)

The server according to Supplementary note 9, wherein the root keys area bunch of keys that are not correlated with given UEs.

(Supplementary Note 12)

The server according to any one of Supplementary notes 9 to 11, whereinthe direct communication comprises ProSe communication.

(Supplementary Note 13)

A communication system comprising:

a plurality of UEs that are in proximity to each other and allowed toconduct direct communication with each other;

a node that supports the direct communication; and

a server that manages root keys for each of UEs to derive a pair ofsession keys for securely conducting direct communication with at leastanother one of the UEs,

wherein the node acquires the root keys from the server uponsuccessfully registering each of the UEs with the node, and distributesthe acquired root keys to each of the UEs,

wherein each of the UEs derives the session keys by using one of thedistributed root keys.

(Supplementary Note 14)

A method of controlling operations in a UE, the method comprising:

acquiring root keys from a node upon successfully registering the UEwith the node, the node supporting direct communication between the UEand one or more different UEs that are allowed to communicate with theUE; and

deriving, by use of one of the root keys, a session key for securelyconducting direct communication with one of the different UEs.

(Supplementary Note 15)

A method of controlling operations in a node that supports directcommunication between UEs being in proximity to each other and allowedto communicate with each other, the method comprising:

acquiring root keys from a server upon successfully registering one ofthe UEs with the node, the root keys being used for said one of the UEsto derive a pair of session keys for securely conducting directcommunication with at least another one of the UEs, the server managingthe root keys; and

distributing the root keys to said one of the UEs.

(Supplementary Note 16)

A method of controlling operations in a server, the method comprising:

storing root keys for each of UEs to derive a pair of session keys forsecurely conducting direct communication with at least another one ofthe UEs, the UEs being in proximity to each other and allowed tocommunicate with each other; and

responding to a request from a node with sending the root keys to thenode, the node supporting direct communication between the UEs.

(Supplementary Note 17)

A UE (User Equipment) comprising:

first means for registering a public key of the UE upon successfullyregistering the UE with a node, and for retrieving public keys of one ormore different UEs, the different UEs being allowed to conduct directcommunication with the UE when the different UEs are in proximity to theUE, the node supporting the direct communication; and

second means for verifying, by using a public key of a first UE amongthe different UEs, a request from the first UE to conduct directcommunication with the UE, the request being protected with a privatekey of the first UE.

(Supplementary Note 18)

The UE according to Supplementary note 17,

wherein the request is for requesting the UE to conduct one-to-onedirect communication with the first UE,

wherein the second means is configured to:

derive a pair of session keys for securely conducting the one-to-onedirect communication, upon succeeding in the verification;

protect a response to the request with a private key of the UE, theresponse including the session keys or a material for deriving thesession keys; and

transmit the response to the first UE.

(Supplementary Note 19)

The UE according to Supplementary note 17,

wherein the request is for requesting the UE to conduct one-to-manydirect communication together with another one or more of the differentUEs, and includes a pair of session keys for securely conducting theone-to-many direct communication,

wherein the second means is configured to extract the session keys fromthe request.

(Supplementary Note 20)

The UE according to any one of Supplementary notes 17 to 19,

wherein a plurality of public keys are allocated to the UEs,

wherein the second means is configured to identify one of the publickeys to be used for the verification, based on an indicator included inthe request.

(Supplementary Note 21)

A UE (User Equipment) comprising:

first means for registering a public key of the UE upon successfullyregistering the UE with a node, and for retrieving public keys of one ormore different UEs, the different UEs being allowed to conduct directcommunication with the UE when the different UEs are in proximity to theUE, the node supporting the direct communication; and

second means for verifying, by using a public key of a first UE amongthe different UEs, a response to a protected first request forrequesting the first UE to conduct one-to-one direct communication withthe UE, the response being protected with a private key of the first UE.

(Supplementary Note 22)

The UE according to Supplementary note 21,

wherein the response includes a pair of first session keys for securelyconducting the one-to-one direct communication or a material forderiving the first session keys,

wherein the second means is configured to:

extract the first session keys or the material from the response, uponsucceeding in the verification; and

derive, when the material is extracted, the first session keys from thematerial.

(Supplementary Note 23)

The UE according to Supplementary note 21 or 22, wherein the secondmeans is configured to:

derive, prior to one-to-many direct communication with two or more ofthe different UEs, a pair of second session keys for securely conductingthe one-to-many direct communication;

include the second session keys in a second request for requesting saidtwo or more of the different UEs to conduct the one-to-many directcommunication;

protect the second request with a private key of the UE; and

transmit the second request to said two or more of the different UEsthrough the node.

(Supplementary Note 24)

The UE according to any one of Supplementary notes 21 to 23,

wherein a plurality of public keys are allocated to the UE,

wherein the second means is configured to include, in the request, anindicator of a public key that corresponds to a private key of the UEused for protecting the request.

(Supplementary Note 25)

A node that supports direct communication between UEs in proximity toeach other and allowed to communicate with each other, the nodecomprising:

reception means for receiving, upon successfully registering one of theUEs with the node, a public key from said one of the UEs; and

transmission means for transmitting, to said one of the UE, public keysof the other UEs as a response to the successful registration,

wherein the public keys are used for each of the UEs to verify at leasta request for the direct communication.

(Supplementary Note 26)

The node according to Supplementary note 25, further comprising:

registration means for registering the public key of said one of the UEwith the server; and

acquisition means for acquiring the public keys of said other UEs fromthe server.

(Supplementary Note 27)

A server comprising:

storage means for storing public keys of UEs that are allowed to conductdirect communication with each other when the UEs are in proximity toeach other, the public keys being registered by a node that supports thedirect communication; and

response means for responding to a request from the node with sendingthe stored public keys to the node,

wherein the public keys are used for each of the UEs to verify at leasta request for the direct communication.

(Supplementary Note 28)

A communication system comprising:

a plurality of UEs that are allowed to conduct direct communication witheach other when the UEs are in proximity to each other; and

a node that supports the direct communication,

wherein each of the UEs shares public keys of the UEs through the nodeupon successfully registering each of the UEs with the node, andverifies at least a request for the direct communication by using one ofthe public keys,

wherein the node receives each of the public keys from each of the UEsupon registering each of the UEs with the node, and transmits, to eachof the UEs, the public keys of different UEs as a response to thesuccessful registration.

(Supplementary Note 29)

The communication system according to Supplementary note 28, furthercomprising a server that manages the public keys,

wherein the node registers each of the public keys of each of the UEswith the server, and acquires the public keys of the different UEs fromthe server,

wherein the server stores the public keys registered by the node, andresponds to a request from the node with sending the stored public keysto the node.

(Supplementary Note 30)

A method of controlling operations in a UE, the method comprising:

registering a public key of the UE upon successfully registering the UEwith a node, and retrieving public keys of one or more different UEs,the different UEs being allowed to conduct direct communication with theUE when the different UEs are in proximity to the UE, the nodesupporting the direct communication; and

verifying, by using a public key of a first UE among the different UEs,a request from the first UE to conduct direct communication with the UE,the request being protected with a private key of the first UE.

(Supplementary Note 31)

A method of controlling operations in a UE, the method comprising:

registering a public key of the UE upon successfully registering the UEwith a node, and retrieving public keys of one or more different UEs,the different UEs being allowed to conduct direct communication with theUE when the different UEs are in proximity to the UE, the nodesupporting the direct communication; and

verifying, by using a public key of a first UE among the different UEs,a response to a protected request for requesting the first UE to conductone-to-one direct communication with the UE, the response beingprotected with a private key of the first UE.

(Supplementary Note 32)

A method of controlling a node that supports direct communicationbetween UEs in proximity to each other and allowed to communicate witheach other, the method comprising:

receiving, upon successfully registering one of the UEs with the node, apublic key from said one of the UEs; and

transmitting, to said one of the UE, public keys of the other UEs as aresponse to the successful registration,

wherein the public keys are used for each of the UEs to verify at leasta request for the direct communication.

(Supplementary Note 33)

A method of controlling operations in a server, the method comprising:

storing public keys of UEs that are allowed to conduct directcommunication with each other when the UEs are in proximity to eachother, the public keys being registered by a node that supports thedirect communication; and

responding to a request from the node with sending the stored publickeys to the node,

wherein the public keys are used for each of the UEs to verify at leasta request for the direct communication.

This application is based upon and claims the benefit of priority fromJapanese patent application No. 2013-225200, filed on Oct. 30, 2013, andJapanese patent application No. 2013-226681, filed on Oct. 31, 2013, thedisclosures of which are incorporated herein in their entireties byreference.

REFERENCE SIGNS LIST

-   10, 10_1-10_m, 110, 110_1-110_m UE-   11, 21, 124 ACQUISITION UNIT-   12 DERIVATION UNIT-   20, 20_1-20_n, 120, 120_1-120_n ProSe Function-   22 DISTRIBUTION UNIT-   23 INDICATION UNIT-   30, 130 E-UTRAN-   40, 140 EPC-   50, 150 ProSe APP Server-   60, 160 3rd party (Server)-   61, 161 STORAGE UNIT-   62, 162 RESPONSE UNIT-   111 REGISTRATION/RETRIEVAL UNIT-   112 VERIFICATION UNIT-   121 RECEPTION UNIT-   122 TRANSMISSION UNIT-   123 REGISTRATION UNIT

The invention claimed is:
 1. A mobile communication system, comprising:a central processing unit coupled to a memory storing instructions forexecuting: a first and a second UEs (User Equipments) implemented by atransceiver and a controller that support Proximity Services (ProSe); afirst ProSe Function that su arts the ProSe and communicates with theplurality of UEs via a PC3 interface; and a second ProSe Function thatsupports the ProSe and communicates with the plurality of UEs via thePC3 interface, wherein the first and second ProSe functions are deployedin different network nodes, wherein the first UE sends a first messagefor a discovery to the first ProSe Function via PC3, wherein the firstProSe Function directly sends a first information on security to thefirst UE via PC3, wherein the first UE receives the first information onsecurity from the first ProSe Function which communicated with a ProSeApplication Server via a PC2 interface based on the first message fordiscovery from the first UE, wherein the second UE sends a secondmessage for the discovery to the second ProSe Function via PC3, whereinthe second ProSe Function directly sends a second information onsecurity to the second UE via PC3, wherein the second UE receives thesecond information on security from the second ProSe Function whichcommunicated with the ProSe Application Server via the PC2 interfacebased on the second message for discovery from the first UE, and whereinthe second UE receives a protected message transmitted from the first UEon a PC5 interface based on the first information and the secondinformation.
 2. The mobile communication system according to claim 1,wherein the protected message is protected by a first key based on thefirst information and a second key based on the second information. 3.The mobile communication system according to claim 1, wherein the ProSeFunction includes a node which supports a ProSe communication betweenthe first and second UEs.
 4. ProSe (Proximity Services) Functions in amobile communication system that includes a central processing unitcoupled to a memory storing instructions for executing a first UE (UserEquipment) and a second UE, implemented by a transceiver and acontroller, which supports ProSe and a ProSe Application Server, theProSe Functions comprising: a first ProSe Function including a firsttransmission unit that supports the ProSe and communicates with thefirst and the second UEs via a PC3 interface and sends a firstinformation on security to the first UE by communicating with the ProSeApplication Server via a PC2 interface based on a first message for adiscovery from the first UE; and a second ProSe Function including asecond transmission unit that supports the ProSe and communicates withthe plurality of UEs via the PC3 interface and sends a secondinformation on security to a second UE which comprises another UE amongthe plurality of UEs by communicating with the ProSe Application Servervia the PC2 interface based on a second message for a discovery from thesecond UE, wherein the first and second ProSe functions are deployed indifferent network nodes, and receiving the first message directly for adiscovery from the first UE and directly sending the first informationon security to the second UE, and receiving the second message for thediscovery from the second UE and sending a second information onsecurity to the first UE, wherein the second UE receives a protectedmessage transmitted from the first UE on a PC5 interface based on thefirst information and the second information.
 5. The ProSe Functionsaccording to claim 4, wherein the protected message is protected by afirst key based on the first information and a second key based on thesecond information.
 6. A first UE (User Equipment) and a second UE in amobile communication system that includes a central processing unitcoupled to a memory storing instructions for executing ProSe (ProximityServices) Functions including a first ProSe Function that supports theProSe and communicates with the plurality of UEs via a PC3 interface, asecond ProSe Function that supports the ProSe and communicates with theplurality of UEs via the PC3 interface, and a ProSe application serverthat communicates with the first ProSe function and the second ProSefunction via a PC2 interface wherein the first UE includes a firsttransceiver that provides the ProSe, and receives a first information onsecurity from the first ProSe Function which discovery from the firstUE, and wherein the second UE includes a second transceiver thatprovides the ProSe, and receives a second information on security fromthe second ProSe Function which communicates with the ProSe ApplicationServer based on a second message for the discovery from the second UE,wherein the first and second ProSe functions are deployed in differentnetwork nodes, wherein the first UE sends a direct communication requestmessage to the second UE, wherein the second transceiver is configuredto send a second message for the discovery to the second ProSe Function,and to directly receive a second information on security from the secondProSe Function, and wherein the second UE receives a protected messagetransmitted from the first UE on a PC5 interface based on the firstinformation and the second information.
 7. The first and second UEsaccording to claim 6, wherein the protected message is protected by afirst key based on the first information and a second key based on thesecond information.
 8. A communication method of a mobile communicationsystem including a first UE (User Equipment) and a second UE implementedby a transceiver and a controller that support Proximity Services(ProSe), a first ProSe Function that supports the ProSe and communicateswith the plurality of UEs via a PC3 interface and a second ProSeFunction that supports the ProSe and communicates with the plurality ofUEs via the PC3 interface, wherein the first and second ProSe functionsare deployed in different network nodes, the communication methodcomprising: sending, by the first UE, a first message for a discovery tothe first ProSe Function via PC3; sending, directly by the first ProSeFunction, a first information on security to the first UE via PC3,wherein the first UE receives the first information on security from thefirst ProSe Function which communicated with a ProSe Application Servervia a PC2 interface based on the first message for discovery from thefirst UE; sending, by the second UE, a second message for the discoveryto the second ProSe Function via PC3; sending, by the second ProSeFunction, a second information on security to the second UE directly viaPC3, wherein the second UE receives the second information on securityfrom the second ProSe Function which communicated with the ProSeApplication Server via a PC2 interface based on the second message fordiscovery from the first UE; and receiving, by the second UE, aprotected message transmitted from the first UE on a PC5 interface basedon the first information and the second information.
 9. Thecommunication method according to claim 8, wherein the protected messageis protected by a first key based on the first information and a secondkey based on the second information.
 10. A communication method of ProSeFunctions (Proximity Services) in a mobile communication system thatincludes a first UE (User Equipment) and a second UE, implemented by atransceiver and a controller, which supports the ProSe and a ProSeApplication Server, the ProSe Functions comprising: a first ProSeFunction including a first transmission unit that supports the ProSe andcommunicates with the first and the second UEs via a PC3 interface andsends a first information on security to the first UE by communicatingwith the ProSe Application Server via a PC2 interface based on a firstmessage for a discovery from the first UE; and a second ProSe Functionincluding a second transmission unit that supports the ProSe andcommunicates with the plurality of UEs via the PC3 interface and sends asecond information on security to a second UE which comprises another UEamong the plurality of UEs by communicating with the ProSe ApplicationServer via a PC2 interface based on a second message for a discoveryfrom the second UE, wherein the first and second ProSe functions aredeployed in different network nodes, the communication methodcomprising: receiving the first message directly for a discovery fromthe first UE; sending the first information on security to the second UEdirectly; receiving the second message for the discovery from the secondUE; and sending a second information on security to the second UEdirectly, wherein the second UE receives a protected message transmittedfrom the first UE on a PC5 interface based on the first information andthe second information.
 11. The communication method according to claim10, wherein the protected message is protected by a first key based onthe first information and a second key based on the second information.12. A communication method of a first UE (User Equipment) and a secondUE in a mobile communication system that includes ProSe (ProximityServices) Functions including a first ProSe Function that supports theProSe and communicates with the plurality of UEs via a PC3 interface, asecond ProSe Function that supports the ProSe and communicates with theplurality of UEs via the PC3 interface, and a ProSe application serverthat communicates with the first ProSe function and the second ProSefunction via a PC2 interface, wherein the first UE includes a firsttransceiver that provides the ProSe, and receives a first information onsecurity from the first ProSe Function which communicates with the ProSeApplication Server based on a first mesa e for a discovery from thefirst UE, and wherein the second UE includes a second transceiver thatprovides the ProSe and receives a second information on security fromthe second ProSe Function which communicates with the ProSe ApplicationServer based on a second message for the discovery from the second UE,wherein the first and second ProSe functions are deployed in differentnetwork nodes, the communication method comprising: sending, by thefirst UE, a direct communication request message to the second UE;sending, by the second transceiver, a second message for the discoveryto the second ProSe Function, and directly receiving a secondinformation on security from the second ProSe Function; and receiving,by the second UE, a protected message transmitted from the first UE on aPC5 interface based on the first information and the second information.13. The communication method according to claim 12, wherein theprotected message is protected by a first key based on the firstinformation and a second key based on the second information.